Less than one-third of businesses keep their virtualization servers on-premises and managed entirely by their own internal IT staff, according to a Kaspersky Lab survey of 3,900 IT professionals worldwide. As virtual infrastructure increasingly handles more business-critical services, the reliance on external hosting and management services raises potential security concerns, particularly for smaller businesses.

Off-site vs. On-Premises: Based on Business Size

According to the more than 2,000 survey respondents who use virtual servers, only 29% report that their physical machines were located within the walls of their business and maintained by only internal staff. On the opposite end of the spectrum, 17% of business rely completely on third-party contractors to house and maintain their virtual servers and services. By far, the largest proportion of businesses, approximately 50%, rely on a mixture of third-party hosting and maintenance.

It should come as no surprise that the vast majority of businesses are using hosting services in some capacity for their virtual infrastructure. The benefits of reduced cost and complexity for most IT departments are clear, and these service providers can more easily add capacity to support growing businesses. When examining the responses based on the business size, the data supports the conventional wisdom that smaller companies, which have fewer IT staffers and a smaller IT budget, are more likely to use a third-party provider, whereas larger companies are most likely to manage their virtualization servers and services in-house. It’s clear that small businesses are most likely to rely solely on third-party providers to provide and manage all of their virtual computing needs.

To give a few examples, 41% of small businesses report using a third-party service to store all of their virtual servers at an off-site location, compared to just 26% of enterprises. For maintaining these virtual servers and the services they provide, 33% of small businesses rely completely on their third-party hosting provider, compared to just 18% of enterprises. Interestingly, very similar rates of both small businesses and enterprises use a mixture of in-house and external resources for storing virtual servers (23% for small business, 29% for enterprise) and maintaining the servers (31% for both small businesses and enterprises).

Critical Business Data Stored in the Cloud

As most businesses are content to store data beyond their own walls, it’s important to understand exactly what types of data are being entrusted to third-party providers. Kaspersky Lab has previously reported that virtualization is rapidly becoming used for more than just IT department tasks, as 52% of survey respondents agreed that virtual environments are now housing core elements of business IT infrastructure. Kaspersky Lab’s survey investigated what business functions are being implemented on virtual infrastructure, and found this perception was indeed correct.

According to the responses of businesses using some form of virtualization, these are the rates that services/applications are being implemented on virtual infrastructure compared to physical infrastructure:

• Email and communications applications (e.g., Microsoft Exchange) – 68% using virtual infrastructure
• Database applications (e.g., Microsoft SQL Server and Oracle) – 65% using virtual infrastructure
• Customer relationship management (CRM) platforms – 65% using virtual infrastructure
• Financial management/accounting applications – 56% using virtual infrastructure

It’s clear that businesses are very willing to put their most precious business data in virtual environments, and in turn, trust the management of these virtual environments to third-party providers. Are these businesses paying close enough attention to what their providers are doing enough to safeguard their business’s life-blood? This is a particularly worrisome question for SMBs, who likely lack the resources and sophistication to implement their own internal security measures and effectively evaluate the measures of their virtualization providers.

Here are some basic steps that SMBs can take to ensure the security of virtual networks on their own end, and to put appropriate scrutiny on the security measures of their third-party providers.

• Become familiar with expert resources on cloud security management. This paper from the Cloud Security Alliance, “The Notorious Nine: Cloud Computing Top Threats in 2013,” is a good place to start gathering information about threats to cloud-based data.
• Perform a thorough assessment of the security measures of any prospective virtualization services provider, and ensure they conform to industry standards like ISO 27001 and CSA STAR.
• Install a multi-layered security suite featuring heuristic and behavioral antivirus protection, host intrusion prevention system (HIPS), and protection against vulnerability exploitation on each workstation on the network.
• Ensure that data leaving the on-site infrastructure is sent using secure connections, or VPN connections for mobile users.

To ensure that businesses themselves don’t become the “weak link” in a virtualized environment, Kaspersky Lab continues to create new technologies that businesses can use to extend their own protection to data stored in off-site datacenters. Kaspersky Lab has also spent years working with leading virtualization platform providers to develop specialized security solutions to meet the unique security and performance requirements of virtual environments. Information about Kaspersky Security for Virtualization, as well as a number of resources to help explain different styles of virtualization security, can be found in Kaspersky Lab’s business center.

The highlights of business trends and usage around virtualization and virtualization security identified by Kaspersky Lab’s global survey can be found in Kaspersky Lab’s 2014 IT Security Risks for Virtualization summary report.